I've heard that some XSS attacks can be done by posting an image to a site that has javascript as the src attribute. Are there certain browsers that will protect me from this type of attack?
+1
A:
Not sure on which browsers detect it but here is how to prevent it:
- Requiring authentication in GET and POST parameters, not only cookies;
- Checking the HTTP Referer header;
- Ensuring there's no crossdomain.xml file granting unintended access to Flash movies
- Limiting the lifetime of authentication cookies
- When processing a POST, disregard URL parameters if you know they should come from a form
- Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site can't put the right token in its submissions.
Source: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention
Sarfraz
2010-07-21 21:13:40
+1
A:
I know for fact that no browser allows javascript to be executed in the src= attribute of an image tag. If any browser did this they its is a vulnerability in the browser, a CVE number should be issued for that browser and it will be patched. Edit: I have tested this against the most recent IE8, chrome and firefox, and they have all patched this issue. If you are still vulnerable to this then you have MUCH bigger problems on your hands becuase an attacker will most defiantly be able to pop a shell on your box.
However, <img src=img.jpg onload="alert(/xss/)"/> could be used to execute javascript. Thus if an attacker can control part of the source he could inject a string like this: src="fake.jpg" onload="alert(/xss/)". This is eactly why htmlspeicalchars($image_location,ENT_QUOTES); should be used instead of htmlspecialchars($image_location). Another approach is to use Html Purifier which is able to remove javascript like this automatically.
If you want to protect your own browser from XSS then you should use noscript.
Allowing image tags could be used to exploit GET based XSRF. This is particularly bad if the software is only doing a referer check. However, most applications use token based xsrf protection which makes requests immune to this attack. However, your site could be used to attack other peoples sites with forged GET requests but this isn't a very serious threat. One method of protection would be to make sure that there is actually an image at this location, and reject the img tag if no image exists.
Rook
2010-07-21 22:22:51
Are you sure? Because according to http://elf.org/essay/inline-image.html , there was a time at least in the past where you could use the `javascript:` URL scheme to feed in image data...
Weston C
2010-07-21 22:31:09
@Weston C Yes i am 100% about this, what this paper is refering to is typing `javascript:alert('js!')` into your address bar. If you don't belive me try writing a .html file with an image tag that contains `javascript:`.
Rook
2010-07-21 22:34:20
I'm going to have to disagree @Rook. I've seen this mentioned in several places. From what I can tell it was only an issue a few years ago so i'm assuming only older browsers have this vulnerability, but it would be nice to have a list.
Abe Miessler
2010-07-21 22:54:31
@Abe Miessler If you can show me some code or any kind of evidence then i'll change my post, but until then I think this was ether patched a decade ago or was never an issue.
Rook
2010-07-21 22:55:28
@Abe Miessler okay so it was patched a couple of years ago, not a decade, my bad.
Rook
2010-07-21 23:01:44
While there may or may not be any browsers that respect js URL schemes for images today, this is exactly what Critchelow is talking about: "The javascript:imageData method was offered by Martin Webb on the comp.lang.javascript newsgroup when I asked for help. This uses a javascript url to supply the value for the src= attribute of an IMG element, or for the .src property of an Image object." It may have been a Netscape Navigator thing, and it doesn't seem to work in Safari or Firefox, but it's hard to tell if that's because it's not supported or if I'm not feeding the raw GIF data correctly.
Weston C
2010-07-21 23:04:46
@Weston C yeah i tried it on a modern browser and i didn't read that page very well. Sorry, eather way if your running a browser vulnerable to this then you have **MUCH** bigger problems on your hands becuase an attacker will be able to pop a shell on your box.
Rook
2010-07-21 23:06:13
+1
A:
Mozilla Firefox w/ addon NoScript. Basically forces you to manual run javascripts from unknown sources.
Jim
2010-07-21 22:53:19
+3
A:
From http://ha.ckers.org/xss.html:
Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well - I'll probably revise this at a later date):
<IMG SRC="javascript:alert('XSS');">
Browser support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
Annie
2010-07-21 22:57:19